Managing Risk Appetite as a Cybersecurity Professional
One of the questions I am asked the most from my mentees is how to manage risks in their company without taking it personally. Listen, I get it. It's hard to take pride in something you do and then not think it's your fault when a recommendation you've made was rejected or even ignored. Mostly, these business decisions aren't a means to state that the work you've done was invaluable, it just means that the organization evaluates risk differently than you. Their appetite for risk, which usually is mitigated with spend, is greater than yours. Let's say you identified, what you think, is a critical risk to the business. A hypothetical example would be preventing data leakage from insider threats. You've spent several hours looking over the risk scenarios, mapped out where your gaps are, performed a probability/impact and a cost analysis and know what a solution will cost. However, you are unclear on what the cost of this risk being a reality is. You identifie...